← Back to context

Comment by hnlmorg

2 hours ago

> I assume it's probably a software bug, they assume it's an exploit.

They're not mutually exclusive.

I suspect you and the security team are arguing the same thing but with different terminology.

When vulnerabilities (which, in the vast majority of cases, are accidental) are published, or when static analysis tools review code, you'll get a description and a severity score. That description will broadly describe how, if possible, that vulnerability can be exploited.

Working for an in-house security team basically just means you're a risk assessor. And the way you assess risks is to look at the potential consequences of those risks. Which means looking at how bugs can be exploited.

But none of this means those vulnerabilities were placed in the code intentionally and with malice. It just means that someone else who is malicious could, theoretically, exploit those vulnerabilities. And if the risk of that is greater than the risk appetite of the business (as will typically be the case), then they'll feedback to you that there is an exploitable vulnerability that you need to patch.